SEC 2024 Examination Priorities: Third-Party Concentration Risk and Essential Business Operations

For anyone that stays up to date on the SEC’s annual priorities report, you may have noticed that the 2024 Examination Priorities was released a few months earlier than usual, to align with the start of the federal government’s fiscal year. The early release of this publication and the omission of environmental, social, and governance (ESG) issues are just a couple of the main differences you’ll discover in the 2024 report.

However, the relationship between third-party risk management (TPRM) and operational resiliency continues to be a focus area of the SEC and it’s worth reviewing two notable additions that will help you prepare for the year ahead.

Note: Text taken directly from the report is noted in italics.

What Are Essential Business Operations and Critical Third Parties?

The report states that examiners will evaluate how organizations identify and address risks to essential business operations. So, what’s considered an “essential” business operation or vendor? It may help to think in terms of the third-party vendor’s criticality or the impact a vendor might have on your operations. Here’s a quick exercise you can use to determine whether a vendor’s product or service is critical.

Ask yourself the following three questions about one of your third-party vendors:

1. Would our organization be significantly disrupted if we suddenly lost this vendor?
2. Would our customers be significantly impacted if we suddenly lost this vendor?
3. Would our organization or customers be significantly impacted if we experienced a service disruption that lasted longer than 24 hours?

If you answer “yes” to any of these questions, that’s a good indication that the vendor is critical. Furthermore, you’ll notice that two of these questions address the impact on your customers, which is sometimes overlooked in the discussion of criticality or essential operations.

Once you’ve identified vendors that are critical to your organization, it’s important to perform the highest level of due diligence and ongoing monitoring. Periodic risk re-assessments and due diligence should occur at least once a year. Remember to keep a record of all due diligence documents as examiners may look for these.

How to Manage Third-Party Concentration Risk  

In addition to essential business operations, the SEC also plans to focus on concentration risk associated with the use of third-party providers. Third-party concentration risk can refer to two different situations:

• The first is when your organization relies on a single third-party vendor to provide multiple high-risk or critical products and services. You can probably imagine the negative impact your organization would face if this vendor were to suddenly fail or go out of business.
• The second situation would be one in which a significant number of your organization’s vendors are concentrated in the same geographic location. In this case, a natural disaster or another external event could potentially impact most of your vendors and create operational disruptions for your organization.

Depending on your organization’s needs, it may not be possible to completely eliminate third-party concentration risk. Therefore, you must address this risk within your third-party risk management program. 

Here are some tips to keep in mind:

• Consider backup vendors – During the vendor selection process, you may want to consider whether there are any reliable backup options that you can turn to if necessary. If you’ve identified an acceptable backup or alternate vendor, this should be included within your exit strategy.  
• Review your vendor’s business continuity (BC) and disaster recovery (DR) plans – A vendor’s BC/DR plans are important documents that should be reviewed during the initial and ongoing due diligence processes. These plans will give insight into how your vendor will respond to a business-disrupting event and how quickly they expect to return to normal operations. BC/DR plans should also be tested regularly to ensure they’re effective.
• Monitor closely and utilize risk intelligence – Vendor concentration risk means monitoring those vendors more closely to look for any signs of new or evolving risks, but news alerts can only take you so far when it comes to monitoring your vendors. To ensure that you have real-time third-party risk information, consider utilizing professional risk intelligence firms which can alert you to a vendor’s poor cyber risk practices, declining financial health, negative news, known threats, and vulnerabilities that can spell trouble for your vendor – and ultimately your organization.

The SEC is just one of several regulators who have increased their focus on third-party risk management in recent years. Along with the recent Interagency Guidance on Third-Party Relationships: Risk Management, these priorities reveal the strong connection between an organization’s operational resilience and the effectiveness of their third-party risk management program. By identifying your critical vendors and understanding concentration risk, your organization will be better equipped to operate safely and soundly with your third-party vendors.